Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

Similar presentations

Presentation on theme: "1 Linux IP Masquerading Brian Vargyas XNet Information Systems."— Presentation transcript:

1 1 Linux IP Masquerading Brian Vargyas XNet Information Systems

2 2 Agenda What is IP Masquerade How does it work Example Setting Up IP Masquerade References

3 3 What not to expect Teaching you how to set up Redhat Linux 5.1 How to compile and install a new kernel

4 4 Why is IP Masquerading HOT? Demand to share a single Internet address across multiple machines. Demand to save Internet IPv4 address space. Demand for better internal network security.

5 5 Emerging Applications Network Hiding Cable Modem Solutions xDSL Solutions Dial on Demand Internet

6 6 So what is it? A Developing networking function built in to RedHat Linux 5.1 Allows machines connected to the Linux system to access the Internet as if they were coming from a single IP address. Provides a secure way of hiding internal networks.

7 7 A Simple Setup Linux Gateway ISP ISDN /32 Dynamic IP Address /8 Static Class A Network eth0

8 8 How it works Translation Tables Manage Inside to Outside Address Translation IPFWADM (IP Firewall Administration) IPPORTFW (IP Port Forwarding) Loadable kernel modules for special IP services like FTP, IRC, QUAKE.

9 9 IP Translation Tables Net Inside AddressesOutside Address Address / Source Port PairsAddress / Dest. Port Pairs Maintains IP Address Source/Dest. Port Pairs. Pool of 4096 Ports.

10 10 IPFWADM (Firewall) Manages Permit/Deny Firewall Access Lists Controls which networks are allowed to IP Masquerade Deny access to all other networks.

11 11 IPPORTFW (Port Forwarding) Controls mapping of incoming port requests to a inside address. Lets you run mail/web server on another host inside your network. Provides complete flexibility on where to place IP services. Not included in standard Redhat 5 distribution.

12 12 Loadable Kernel Modules Lets special IP services such as FTP operate correctly. I.E. Back Channel Data (Not Passive). Only loads into memory if needed Some services not supported. PPTP Patches.

13 14 Example (My Home) 3 Machines needs Internet access 1 DHCP dynamic address provided from Cable Company. Backup ISDN dialup Windows NT web/mail server

14 Example Config 15 Linux Gateway ISP ISDN /8 Static Class A Network eth0 Cable Network eth1 Cable Modem

15 15 Configure all system interfaces. Make sure you can ping remote machines. Verify connectivity to your ISP is working. Install IPPORTFW Kernel Patches, Rebuilt Kernel, Install and Reboot. (Kernel /2.0.34) Compile IPPORTFW utility and install in /bin. Edit your /etc/rc.d/rc2.d/S99local file and include the necessary IPFWADM and IPPORTFW configuration. Make sure you have a default route ( /0) pointed at your ISP Interface. Setup Procedure

16 16 Setup Configuration (S99local) # S99local echo "1" > /proc/sys/net/ipv4/ip_forwarding /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S /24 -D /0 /sbin/ipportfw -A -t /80 -R /80 /sbin/ipportfw -A -t /25 -R /25 route add default

17 17 Verify Configuration /]# netstat -M IP masquerading entries, free ports: UDP 4095 TCP 4096 prot expire source destination ports udp 4: > 4000 (61058) /]# ipfwadm -F -l IP firewall forward rules, default policy: deny type prot source destination ports acc/m all /24 anywhere n/a /]# ipportfw -L Prot Local Addr/Port > Remote Addr/Port TCP /25 > /25 TCP /80 > /80

18 18 Problems Not every IP protocol works Difficult to run web/mail when you have a DHCP address that keeps changing. DNS needs to be hosted by ISP

19 19 Private IP Address Space (RFC 1918) Must use following address space for internal networks: / / /

20 20 Illegal Address Space Issues Problems getting to the network being used. (DNS Related Issues) Need to use another vendor implementation to solve problem IP NAT Overlapping (CISCO)

21 21 References IP Masquerade Web Page Port Forwarding Web Page steve/portforwarding.html My Web Page

Download ppt "1 Linux IP Masquerading Brian Vargyas XNet Information Systems."

Similar presentations

Ads by Google